BURLINGTON, Mass. — Veracode, a leading global provider of application security testing solutions, today revealed that the manufacturing sector has the lowest number of software security flaws, dethroning financial services which took first place last year. The data was published in the company’s annual State of Software Security (SoSS) report v12, which analyzed 20 million scans across half a million applications in the manufacturing, healthcare, financial services, technology, retail, and government sectors.
While the industry grappled with increased pressure and demand on the supply chain, manufacturing emerged as the most-targeted industry by cybercriminals in 2021, with vulnerability exploitation identified as the top initial attack vector*. Securing the software supply chain has, therefore, never been a greater priority since mandates like the US Executive Order on Cybersecurity and the EU Cyber Resilience Act put the issue firmly in the spotlight.
Chris Eng, Chief Research Officer at Veracode, said, “It’s encouraging to see flaw reduction over the past year as manufacturing organizations continue to make software security a priority—especially since technological innovation has led to the increased adoption of new platforms and environments. Last year, we found 76 percent of manufacturing apps contained flaws, with 21 percent considered ‘high severity’. These figures have decreased considerably.”
Open-source Security Flaws Stick Around for Longer
Despite the positive results in terms of flaw prevalence, Veracode’s research revealed the manufacturing sector—alongside healthcare and technology—has the lowest proportion of flaws that are fixed once they’re discovered. More alarming is the amount of time taken to remediate flaws—manufacturing industries post among the slowest timeframes for flaws discovered by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA). For example, around 55 percent of flaws discovered by static analysis remain unfixed after one year, and the manufacturing sector consistently lags behind the overall average by four months.
Flaws in third-party libraries found through SCA stick around longer for all industries, with 30 percent of vulnerable libraries remining unresolved after two years. For the manufacturing sector, that statistic rises to over 40 percent, lagging the cross-industry average by more than six months.
Eng said, “This may be influenced by a larger number of specialized, industrial applications that have fewer, but harder to fix, flaws than in other industries. These results amplify the need for manufacturers to focus on addressing flaws in a timely fashion.”
Some Flaws Are More Common Than Others
The research also dived into flaw type across programming languages used by applications in the manufacturing sector, including Java, .NET, and JavaScript. Veracode’s research examined the types of flaws affecting applications, and found that server configuration, insecure dependencies, and information leakage are among the most common discovered in the manufacturing sector.
Eng closed, “The safety of businesses and critical infrastructure is largely dependent on the software supply chain being secure and this can only be achieved by having visibility of its components. Integrating security early in the software development lifecycle and leveraging tools to generate a Software Bill of Materials (SBOM) will provide manufacturers with assurance that the products they place in the market have fewer vulnerabilities and, therefore, less risk.”
